By some measures 80-90% of electronic messages are spam—an estimated 7,000,000,000 (7 trillion) in 2011. Spam annoys and offends recipients, drains tens of billions of dollars annually in lost productivity, and is a common vector for computer viruses and phishing scams. Spam also imposes costs on message service providers: operational costs such as hardware, bandwidth, and electricity are increased, while revenues decline as a degraded user experience drives away customers.
One method of reducing spam is IP blacklisting. Organizations such as SpamHaus classify IP addresses as belonging to spammers based on user feedback received from multiple message service providers. Then, every few hours, SpamHaus publishes an updated blacklist containing spammer IP addresses. Message service providers use this blacklist to automatically discard messages originating from a blacklisted IP. However, spammers circumvent these lists by acquiring new IP addresses and sending millions of spam messages before the next blacklist is published. Moreover, spammers circumvent blacklists by employing botnets—collections of hijacked computers used to perform malicious tasks—that enable spammers to send a large volume of spam in aggregate while only sending a small volume of spam from millions of fluctuating, or constantly changing IP addresses.
Thus, Message Service Providers (MSPs) additionally employ user-based feedback systems to identify spamming IP addresses. If enough users indicate that messages received from a particular IP address are spam, then subsequent messages from that IP address will be blocked. However, a user-based feedback system typically takes time during which spammers can send millions of spam messages. For example, many spammers register accounts with a target MSP and continuously probe spam defenses by attempting to spam their own accounts. Once a spam message gets through, the spammer floods the MSP with millions of spam messages before the user-based feedback system can react.
As such, an unacceptable amount of spam continues to evade these and other spam filtering techniques. Therefore, improved methods of classifying transient entities, such as IP addresses, are needed. Thus, it is with respect to these considerations and others that the present invention has been made.